Home / Running a practice / The Foundation Standard / Tūroro | Patients /

2.1 The Privacy Act

2.1 The Privacy Act and Health Information Privacy Code

How we confidentially manage patient information is one of the most important aspects of general practice. Protecting the private details of a patient is not just a matter of moral respect, it is essential in retaining the important bond of trust between not only between clinicians and their patients/whānau but also the wider practice team.

Standard – what we’ll be assessing on Evidence to provide for assessment

2.1 The practice understands and implements the current Privacy Act and Health Information Privacy Code.
  • Completed team training records.
  • A documented privacy and health information security policy and procedure.

In general practice, when it comes to health information, The Code applies rules to organisations in the health sector and patients’ have expectations about how their health information will be managed.

The code recognises that people expect their health information:

  • to be kept confidential because it was probably collected in a situation of confidence and trust
  • to be treated as sensitive because it may include details about body, lifestyle, emotions and behaviour
  • may have ongoing use if a piece of medical information becomes clinically relevant even a long time after it was initially collected
  • will be used for the purposes for which it was originally collected and they will be told about those purposes.

The Privacy Act 2020

The Privacy Act 2020 controls how ‘agencies’ collect, use, disclose, store and give access to ‘personal information’.

Health Information Privacy Code 2020

The Health Information Privacy Code 2020 sets specific rules for agencies in the health sector. It covers health information collected, used, held and disclosed by health agencies and takes the place of the information privacy principles for the health sector.

Rules of the Health Information Privacy Code

The Health Information Privacy Code has thirteen rules:

  • Rules 1, 2, 3 and 4 govern the collection of health information. This includes the reasons why health information may be collected, where it may be collected from and how it is collected.
  • Rule 5 governs the way health information is stored. It is designed to protect health information from unauthorised use or disclosure.
  • Rule 6 gives individuals the right to access their health information.
  • Rule 7 gives individuals the right to correct their health information.
  • Rules 8, 9, 10 and 11 place restrictions on how people and organisations can use or disclose health information. These include ensuring information is accurate and up-to-date and is not improperly disclosed.
  • Rule 12 governs the disclosure of health information outside of New Zealand.
  • Rule 13 governs how ‘unique identifiers’ - such as Inland Revenue Department (IRD) numbers, bank client numbers, driver's licence and passport numbers - can be used.
Dr Ros Wall speaks to a pregnant patient
Dr Ros Wall speaks to a pregnant patient.

Training

All team members are to complete current Privacy Act and Code training provided by the Office of the Privacy Commissioner. 

The Privacy Officer is responsible for understanding the Privacy Commission’s guidance and ensuring resources are available for training. Privacy Officers are to complete Privacy 101 and Health 101 offered by the Office of the Privacy Commissioner.

The practice can determine training for the remaining team members relevant to their roles, which may include additional training over the required minimum of Privacy ABC and Health ABC. 

If Health ABC and Privacy ABC or Privacy 101 and Health 101 were completed prior to Dec 2020, then team members need to complete the Privacy Act 2020.

Training requirements for Privacy Officers

(and those requiring a higher level of knowledge according to their role)

  • Health 101: An Introduction to the Health Information Privacy Code

    Two-three hours commitment. In this course you will be introduced to the main concepts covered by the Health Information Privacy Code and learn about the how the Code is applied in practice. This course is designed to give you an understanding of health sector agencies’ responsibilities when handling personal health information.

  • AND Privacy 101: An Introduction to the Privacy Act

    Two-three hours commitment. In this course you will be introduced to the main concepts covered by the Privacy Act and learn about the how the Act is applied in practice. This course is designed to give you an understanding of public and private sector agencies’ responsibilities when handling personal information.

For other team members

(for example GPs, nurses and admin/reception)

  • Health ABC

    30 minutes time commitment. This course aims to give you an overview of the Health Information Privacy Code, including the main concepts covered by the Code and how the Code applies in practice.

  • AND Privacy ABC

    This course aims to give you an overview of the Privacy Act, including the main concepts covered by the Act and how the Act is applied in practice.

Dr Vanisi Prescott
Dr Vanisi Prescott in her office

Management of Patient information

General practice ICT security checklist

The ICT security checklist covers the essentials of digital security. This checklist is based on the baseline requirements discussed in the Health Information Security Framework.

Third party access

Patients can approve third party access to records, results, or request/collect prescriptions through clear documentation. Third parties include but are not limited to a family member, spouse, or friend. Discretion may be applied if the patient is incapacitated, cognitively or physically impaired, in difficult social circumstances or a child. Youth records must be reviewed to ensure their confidentiality is maintained.

Video and telephone consultations

Included in the privacy policy is the practice process for maintaining patient privacy with video and telephone consultations. This may include how a health provider establishes privacy at both the practitioner and patient ends of the consultation and informing the patient whether the consultation is being recorded or not.

Developing a security policy and protecting health information in the practice

Rule 5 of the Health Information Privacy Code 2020 describes reasonable security safeguards to protect health information. This includes keeping the information safe from loss, as well as from unauthorised access, use, modification or disclosure.

The practice must include how they protect the patient’s privacy with photographs, in particular, using a secure device, not retaining photos on devices, submitting photos  securely and secure storage within the PMS

To comply with rule 5, the practice needs to consider what risks exists for the health information the practice holds and implement a plan to address those risks.

Security of electronic health information

Most sensitive information in general practice is likely to be stored within the PMS, therefore the electronic PMS must be deployed in an up-to-date, secure and fit-for-purpose IT environment.

  • Most PMS systems can assign roles to people and restrict the access of information at varying levels.

    Access to the PMS must be assigned appropriately, based on their role. Custodial or cleaning staff must not have access to the PMS. Receptionists and administrators are bound by the current Privacy Act and at the discretion of management, can be granted access to clinical information in order to fulfil their roles.

  • It is essential that access to the PMS system requires a personal password and the system automatically requires a password to access the computer/terminal or the PMS after a period of inactivity (no more than 15 minutes).

    An alternative is password-protected screensavers or other automated security applications. This protects against unattended access to computers if team members forget to log off or walk away and are longer than they expect. Consider shorter timeout periods for computers in consultation rooms or other locations where patients may be left alone, even for short periods of time. Terminals and personal computers must be positioned so the screens cannot be seen by unauthorised personnel or patients.

  • Provision for maintaining patient confidentiality, privacy and security of patient information during video or telephone consults is included in the practices’ privacy policy.

    For example, a practice process which outlines which approved, secure digital platform the practice uses for video conferencing which has end to end encryption and is endorsed by established health providers who have completed both Privacy Impact Assessment (PIA) and Cloud Risk Assessment (CRA). We encourage all organisations and companies to work towards completing their own PIA and CRA.

  • If your practice has a privacy breach that has caused serious harm to someone (or is likely to do so)...

    ...the practice will need to notify the Office of the Privacy Commissioner as soon as possible. The practice must also notify those patients affected by the breach.

Backup and retrieval system

A backup is a copy of some or all files and information stored on a system. The purpose of a backup is to be able to recover all patient information stored in the computer system. Backups need to include the PMS database and other patient information e.g. photos, scanned documents not in the PMS. It may also include other computer files contained on the system e.g. HR records, financial data, emails, business records.

  • At a minimum, the system needs to backup essential electronic data daily (if not in real time).

    Taking a backup of the most important files at least every day is important. In the event of a catastrophic loss of the system (perhaps a building fire or a computer virus that renders the files or system unusable), the backup is used to retrieve important information. Be aware that the practice will lose any information between the latest backup and when the practice wishes to restore it. Best practice is a backup that allows restoration of the complete ‘in practice’ computer system.

  • Holding a copy of the backups and files offsite (or using a secure online service) is important to protect against events such as fire or theft, where both the original files and backups could be compromised.

    Because the backups will almost always contain sensitive information, it is also important that the physical location in which the backups are being stored is secure and/or protected by secure password.

  • Practice team members storing backups in their homes is not considered to be a secure way of keeping offsite backups.

    There may be issues with practice team members having the potential to lose the backups or having those backups stolen from their home. Both situations would compromise the information security. If the practice uses physical backups, it is important that the practice uses a professional service that can satisfy the requirement for secure transport and storage of those media.

  • The practice needs to regularly check that it is possible to retrieve and restore the systems to a safe working state.

    It is important the practice does this when the backup method is first established and at other times when more than a minor change is made to that scheme.

  • Consider planning the backup and restore test in conjunction with a third-party IT provider.

    The practice would normally test the restoration process into an environment outside of the normal practice system (to simulate what may happen in a disaster situation). This test may require some time. For most small businesses this task would only be undertaken sporadically.

Dr Lily Fraser uses a computer in a consultation room
Dr Lily Fraser adds patient notes to the computer during a consultation.

Independent auditing of the electronic data systems and policies

It is important that the practice provides evidence of independent auditing of the electronic data systems and policies. If the practice uses a third-party IT support provider, the provider must be able to provide some independence in terms of audit and identifying information issues. Having a specialist IT provider can help maintain the system and ensure security of the system.

The third-party IT specialist must be external to the practice. This excludes family or friends. The practice must have a contract with the third-party IT provider. The contract can be on an as-needed basis or a retainer.

Impacts on management of heath information in an evolving environment

Elements to consider when developing a process for video/telephone consultations:

  • Find your digital platform which has end to end encryption and is endorsed by established health providers who have completed both Privacy Impact Assessment (PIA) and Cloud Risk Assessment (CRA) and easy for patients and providers to use
  • Prior to video consult – A phone call from practice team member, such as a nurse to establish whether the consult can be done by video or telephone and ensure the patient understands:
    • how to connect with the platform
    • to set themselves up in a private room/space
    • be aware of anyone able to listen in, especially if on speaker phone or speaker
    • having another person or whānau present during the consult is acceptable and to let the provider know.
    • they have options, i.e., would the patient prefer a telephone or video consultation? (if applicable)
    • that during the consult, the provider may decide they need an ‘In Person” consultation and request they visit the medical centre.
    • what the fees are, including if the consultation is split between video/telephone and ‘in person’.

Practices need to:

  • Establish how is informed consent obtained and attached to the patients file in the PMS.
  • Ensure health providers know to document in the patient notes (PMS) the type of consult undertaken.
  • Ensure health providers know to document in notes if patient refuses to come for an ‘In person’ appointment.
  • Establish how any test or diagnostic results will communicated
  • Ensure providers have training.

Privacy and health information policy

A Privacy and health information policy and procedure must include:

  • Adherence to privacy legislation.
  • A designated Privacy Officer.
  • Training of practice team members according to role.
  • Provisions for maintaining privacy in the practice’s physical environment (for example, a radio playing, front desk security, management of patient’s medical notes, etc).
  • Adherence to the HIPC.
  • A process around how practices collect, use, disclose, store, and give access to personal medical information.
  • Keeping the information safe from loss, as well as from unauthorised access, use, modification, or disclosure.
  • How patients can approve third party access to records, results, or request/collect prescriptions.
  • A process for maintaining patient privacy with video and telephone consultations.
  • Digital security - based on the baseline requirements discussed in the Health Information Security Framework.
  • Identified areas where risks exist for patients’ health information and a plan to address those risks within the practice.
  • Keeping medical information safe from loss.
  • A process for managing a privacy breach.
  • PMS safeguards (PW/screen savers, privacy screens etc).
  • Independent auditing from 3rd party IT technician.
  • Back up and retrieval system process.

Links to resources